From 095bb64fc735c54d0ebf17ba6c13e0de5af44a36 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Mon, 7 Jun 2021 11:50:01 +0200 Subject: [PATCH] libpq: Fix SNI host handling Fix handling of NULL host name (possibly by using hostaddr). It previously crashed. Also, we should look at connhost, not pghost, to handle multi-host specifications. Reported-by: Jacob Champion Discussion: https://www.postgresql.org/message-id/504c276ab6eee000bb23d571ea9b0ced4250774e.camel@vmware.com --- src/interfaces/libpq/fe-secure-openssl.c | 27 ++++++++++++++---------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 00d43f3eff..36fec96ef1 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -1087,20 +1087,25 @@ initialize_SSL(PGconn *conn) * Per RFC 6066, do not set it if the host is a literal IP address (IPv4 * or IPv6). */ - if (conn->sslsni && conn->sslsni[0] && - !(strspn(conn->pghost, "0123456789.") == strlen(conn->pghost) || - strchr(conn->pghost, ':'))) + if (conn->sslsni && conn->sslsni[0]) { - if (SSL_set_tlsext_host_name(conn->ssl, conn->pghost) != 1) + const char *host = conn->connhost[conn->whichhost].host; + + if (host && host[0] && + !(strspn(host, "0123456789.") == strlen(host) || + strchr(host, ':'))) { - char *err = SSLerrmessage(ERR_get_error()); + if (SSL_set_tlsext_host_name(conn->ssl, host) != 1) + { + char *err = SSLerrmessage(ERR_get_error()); - appendPQExpBuffer(&conn->errorMessage, - libpq_gettext("could not set SSL Server Name Indication (SNI): %s\n"), - err); - SSLerrfree(err); - SSL_CTX_free(SSL_context); - return -1; + appendPQExpBuffer(&conn->errorMessage, + libpq_gettext("could not set SSL Server Name Indication (SNI): %s\n"), + err); + SSLerrfree(err); + SSL_CTX_free(SSL_context); + return -1; + } } } -- 2.31.1